Google Professional-Cloud-Network-Engineer Exam With Confidence Using Practice Dumps

To block traffic based on BGP ASN, you need to use Cloud Armor network edge security policies. Backend security policies protect backend services (like those behind an external HTTP(S) Load Balancer), but for traffic directly to Compute Engine instances with public IPs, you need a network edge security policy. Firewall policies operate at the VPC level and do not have the capability to filter based on BGP ASN. The —network-src-asns parameter is specifically used with Cloud Armor network edge security policies to filter traffic based on the source ASN.

Exact Extract:

"Cloud Armor network edge security policies can protect external IP addresses of virtual machine (VM) instances and load balancers. They support rules that allow or deny traffic based on various criteria, including source autonomous system numbers (ASNs) using the --network-src-asns parameter."

"Network edge security policies are designed for traffic destined for external IP addresses of Google Cloud resources that are not behind an external HTTP(S) load balancer, such as Compute Engine instances with public IP addresses."Reference: Google Cloud Armor Documentation - Network edge security policies overview

To control internet access on a per-URL basis (including hostname and path), you should deploy Secure Web Proxy with global access enabled. The Secure Web Proxy will allow policy-based filtering of web traffic, allowing control over which URLs can be accessed based on the URL list defined in the policy. Unlike Cloud NAT, which does not support FQDN filtering, Secure Web Proxy is designed to provide such control, especially for scenarios with sensitive or controlled internet access requirements.